Secure video card methods and systems

ABSTRACT

Methods and systems for protecting data that is intended for use and processed on video or graphics cards are described. In one embodiment, unencrypted data is provided in a video card memory. The unencrypted data is encrypted on the video card and transferred off of the video card.

RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S.application Ser. No. 10/052,840, filed on Jan. 16, 2002 now U.S. Pat.No. 7,065,651, the disclosure of which is incorporated by referenceherein.

TECHNICAL FIELD

This invention relates to methods and systems for processing video datausing video cards.

BACKGROUND

Typically, a content author, such as a movie studio or a user publishingcontent on the web, will publish video content that has restrictions onhow users can view it. This content can typically be viewed or renderedon a computer such as a personal computer. A great deal of time, effortand money is spent each year by unscrupulous individuals andorganizations trying to steal or otherwise inappropriately obtain suchvideo content.

One of the points of attack can be the computer on which such videocontent is to be viewed or rendered. That is, rogue programs or devicescan and often do try to inappropriately obtain video content once it hasbeen received on a computer, such as a personal computer. Among othercomputer components, this attack can be waged against the video cardthat processes the video content and/or the bus that transports thevideo content to and from the video card.

FIG. 1 shows an exemplary video (or graphics) card 100 that includes abus connector 102 that inserts into a port on a typical computer. Videocard 100 also includes a monitor connector 104 (e.g. a 15-pin plug) thatreceives a cable that connects to a monitor. Video card 100 can includea digital video-out socket 106 that can be used for sending video imagesto LCD and flat panel monitors and the like.

The modem video card consists of four main components: the graphicsprocessor unit (GPU) 108, the video memory 110, the random access memorydigital-to-analog converter (RAMDAC) 112, and the driver software whichcan be included in the Video BIOS 114.

GPU 108 is a dedicated graphics processing chip that controls allaspects of resolution, color depth, and all elements associated withrendering images on the monitor screen. The computer's centralprocessing unit or CPU (not shown) sends a set of drawing instructionsand data, which are interpreted by the graphics card's proprietarydriver and executed by the card's GPU 108. GPU 108 performs suchoperations as bitmap transfers and painting, window resizing andrepositioning, line drawing, font scaling and polygon drawing. The GPU108 is designed to handle these tasks in hardware at far greater speedsthan the software running on the system's CPU. The GPU then writes theframe data to the frame buffer (or on-board video memory 110). The GPUgreatly reduces the workload of the system's CPU.

The memory that holds the video image is also referred to as the framebuffer and is usually implemented on the video card itself. In thisexample, the frame buffer is implemented on the video card in the formof memory 110. Early systems implemented video memory in standard DRAM.However, this requires continual refreshing of the data to prevent itfrom being lost and cannot be modified during this refresh process. Theconsequence, particularly at the very fast clock speeds demanded bymodem graphics cards, is that performance is badly degraded.

An advantage of implementing video memory on the video card itself isthat it can be customized for its specific task and, indeed, this hasresulted in a proliferation of new memory technologies:

-   -   Video RAM (VRAM): a special type of dual-ported DRAM, which can        be written to and read from at the same time. It also requires        far less frequent refreshing than ordinary DRAM and consequently        performs much better;    -   Windows RAM (WRAM): as used by the Matrox Millennium card, is        also dual-ported and can run slightly faster than conventional        VRAM;    -   EDO DRAM: which provides a higher bandwidth than DRAM, can be        clocked higher than normal DRAM and manages the read/write        cycles more efficiently;    -   SDRAM: Similar to EDO RAM except the memory and graphics chips        run on a common clock used to latch data, allowing SDRAM to run        faster than regular EDO RAM;    -   SGRAM: Same as SDRAM but also supports block writes and        write-per-bit, which yield better performance on graphics chips        that support these enhanced features; and    -   DRDRAM: Direct RDRAM is a totally new, general-purpose memory        architecture which promises a 20-fold performance improvement        over conventional DRAM.

Some designs integrate the graphics circuitry into the motherboarditself and use a portion of the system's RAM for the frame buffer. Thisis called “unified memory architecture” and is used for reasons of costreduction only and can lead to inferior graphics performance.

The information in the video memory frame buffer is an image of whatappears on the screen, stored as a digital bitmap. But while the videomemory contains digital information its output medium—the monitor—mayuse analog signals. The analog signals require more than just an “on” or“off” signal, as it is used to determine where, when and with whatintensity the electron guns should be fired as they scan across and downthe front of the monitor. This is where RAMDAC 112 comes into play asdescribed below. Some RAMDACs also support digital video interface (DVI)outputs for digital displays such as LCD monitors. In suchconfigurations, the RAMDAC converts the internal digital representationinto a form understandable by the digital display.

The RAMDAC plays the roll of a “display converter” since it converts theinternal digital data into a form that is understood by the display.

Even though the total amount of video memory installed on the video cardmay not be needed for a particular resolution, the extra memory is oftenused for caching information for the GPU 108. For example, the cachingof commonly used graphical items—such as text fonts and icons orimages—avoids the need for the graphics subsystem to load these eachtime a new letter is written or an icon is moved and thereby improvesperformance. Cached images can be used to queue up sequences of imagesto be presented by the GPU, thereby freeing up the CPU to perform othertasks.

Many times per second, RAMDAC 112 reads the contents of the videomemory, converts it into a signal, and sends it over the video cable tothe monitor. For analog displays, there is typically oneDigital-to-Analog Converter (DAC) for each of the three primary colorsthe CRT uses to create a complete spectrum of colors. For digitaldisplays, the RAMDAC outputs a single RGB data stream to be interpretedand displayed by the output device. The intended result is the right mixneeded to create the color of a single pixel. The rate at which RAMDAC112 can convert the information, and the design of GPU 108 itself,dictates the range of refresh rates that the graphics card can support.The RAMDAC 112 also dictates the number of colors available in a givenresolution, depending on its internal architecture.

The bus connector 102 can support one or more busses that are used toconnect with the video card. For example, an Accelerated Graphics Port(AGP) bus can enable the video card to directly access system memory.Direct memory access helps to make the peak bandwidth many times higherthan the Peripheral Component Interconnect (PCI) bus. This can allow thesystem's CPU to do other tasks while the GPU on the video card accessessystem memory.

During operation, the data contained in the on-board video memory can beprovided into the computer's system memory and can be managed as if itwere part of the system's memory. This includes such things as virtualmemory management techniques that the computer's memory manage employs.Further, when the data contained in the system's memory is needed for agraphics operation on the video card, the data can be sent over a bus(such as a PCI or AGP bus) to the video card and stored in the on-boardvideo memory 110. There, the data can be accessed and manipulated by GPU108 as described above.

When the data is transferred from the system memory to the video memoryon the video card and vice versa, it is possible for PCI devicesconnected to the PCI bus to “listen” to the data as it is transferred.The PCI bus also makes the video memory “visible” to the rest of thesystem, as if it existed like system memory. As a result, it is possiblefor a PCI device to acquire the PCI bus and simply copy the contents ofthe video memory to another device. If the PCI device is synchronizedwith the incoming video, it could potentially capture all of thecontent.

There are two previous options to protect the content once it is in thevideo memory on the video card.

First, the video memory can remain accessible but the content is storedin a protected, encrypted form so that it is unreadable to rogue devicesand applications. While this prevents the data from being read, it alsorequires that the data be continually maintained in an encrypted form.If the video card (i.e. the GPU) wishes to process the data, it mustatomically decrypt on read, process and re-encrypt on every write backto the video memory. For video data, the decompressed data could requiremore than 300 mb per second just to display. Accordingly, theencryptor/decryptor would have to operate at these high data rates.Typically, several video streams will be processed into a single outputstream. For example, picture-in-picture (PIP) or a multi-channel displaywould blend eight channels into a single display. This would requireeight simultaneous decryptors and one encryptor running at 300 mb persecond (a total of around 2.4 gigabytes per second). Thus, this approachis not very desirable due to the high computation requirements.

Second, the content or data in the video memory can simply be madeinaccessible. This is typically not possible due to the design of thePCI and AGP buses, since the video memory is mapped into physical memory(i.e. it appears as if it is regular system memory). The video memory isthus accessible to any PCI device which can then acquire the PCI bus andperform the data transfer without the knowledge of the CPU. Thus, thisapproach is not very desirable since the memory controller (or GPU)cannot reliably determine who is accessing the memory.

Accordingly, this invention arose out of concerns associated withproviding secure video processing systems and methods.

SUMMARY

Methods and systems for protecting data that is intended for use andprocessed on video or graphics cards are described. In one embodiment,unencrypted data is provided in a video card memory. The unencrypteddata is encrypted on the video card and transferred off of the videocard.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that shows various components of an exemplaryvideo or graphics card that is intended for use in a computer system.

FIG. 2 is a block diagram of an exemplary computer system that canemploy video cards in accordance with the described embodiment.

FIG. 3 is a flow diagram that describes steps in a method in accordancewith one embodiment.

FIG. 4 is a flow diagram that describes steps in a method in accordancewith one embodiment.

FIG. 5 is a block diagram that shows various components of an exemplaryvideo or graphics in accordance with one embodiment.

FIG. 6 is a block diagram that shows various components of the FIG. 5video card.

FIG. 7 is a flow diagram that describes steps in a method in accordancewith one embodiment.

FIG. 8 is a block diagram that is useful in understanding certainaspects of the described embodiments.

FIG. 9 is a flow diagram that describes steps in a method in accordancewith one embodiment.

FIG. 10 is a block diagram that shows various components of a video cardin accordance with one embodiment.

DETAILED DESCRIPTION

Exemplary Computer System

FIG. 2 illustrates an example of a suitable computing environment 200 onwhich the system and related methods described below can be implemented.

It is to be appreciated that computing environment 200 is only oneexample of a suitable computing environment and is not intended tosuggest any limitation as to the scope of use or functionality of themedia processing system. Neither should the computing environment 200 beinterpreted as having any dependency or requirement relating to any oneor combination of components illustrated in the exemplary computingenvironment 200.

The various described embodiments can be operational with numerous othergeneral purpose or special purpose computing system environments orconfigurations. Examples of well known computing systems, environments,and/or configurations that may be suitable for use with the mediaprocessing system include, but are not limited to, personal computers,server computers, thin clients, thick clients, hand-held or laptopdevices, multiprocessor systems, microprocessor-based systems, set topboxes, programmable consumer electronics, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and the like.

In certain implementations, the system and related methods may well bedescribed in the general context of computer-executable instructions,such as program modules, being executed by a computer. Generally,program modules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types. The embodiments can also be practiced indistributed computing environments where tasks are performed by remoteprocessing devices that are linked through a communications network. Ina distributed computing environment, program modules may be located inboth local and remote computer storage media including memory storagedevices.

In accordance with the illustrated example embodiment of FIG. 2,computing system 200 is shown comprising one or more processors orprocessing units 202, a system memory 204, and a bus 206 that couplesvarious system components including the system memory 204 to theprocessor 202.

Bus 206 is intended to represent one or more of any of several types ofbus structures, including a memory bus or memory controller, aperipheral bus, an accelerated graphics port, and a processor or localbus using any of a variety of bus architectures. By way of example, andnot limitation, such architectures include Industry StandardArchitecture (ISA) bus, Micro Channel Architecture (MCA) bus, EnhancedISA (EISA) bus, Video Electronics Standards Association (VESA) localbus, and Peripheral Component Interconnects (PCI) bus also known asMezzanine bus.

Computer 200 typically includes a variety of computer readable media.Such media may be any available media that is locally and/or remotelyaccessible by computer 200, and it includes both volatile andnon-volatile media, removable and non-removable media.

In FIG. 2, the system memory 204 includes computer readable media in theform of volatile, such as random access memory (RAM) 210, and/ornon-volatile memory, such as read only memory (ROM) 208. A basicinput/output system (BIOS) 212, containing the basic routines that helpto transfer information between elements within computer 200, such asduring start-up, is stored in ROM 208. RAM 210 typically contains dataand/or program modules that are immediately accessible to and/orpresently be operated on by processing unit(s) 202.

Computer 200 may further include other removable/non-removable,volatile/non-volatile computer storage media. By way of example only,FIG. 2 illustrates a hard disk drive 228 for reading from and writing toa non-removable, non-volatile magnetic media (not shown and typicallycalled a “hard drive”), a magnetic disk drive 230 for reading from andwriting to a removable, non-volatile magnetic disk 232 (e.g., a “floppydisk”), and an optical disk drive 234 for reading from or writing to aremovable, non-volatile optical disk 236 such as a CD-ROM, DVD-ROM orother optical media. The hard disk drive 228, magnetic disk drive 230,and optical disk drive 234 are each connected to bus 206 by one or moreinterfaces 226.

The drives and their associated computer-readable media providenonvolatile storage of computer readable instructions, data structures,program modules, and other data for computer 200. Although the exemplaryenvironment described herein employs a hard disk 228, a removablemagnetic disk 232 and a removable optical disk 236, it should beappreciated by those skilled in the art that other types of computerreadable media which can store data that is accessible by a computer,such as magnetic cassettes, flash memory cards, digital video disks,random access memories (RAMs), read only memories (ROM), and the like,may also be used in the exemplary operating environment.

A number of program modules may be stored on the hard disk 228, magneticdisk 232, optical disk 236, ROM 208, or RAM 210, including, by way ofexample, and not limitation, an operating system 214, one or moreapplication programs 216 (e.g., multimedia application program 224),other program modules 218, and program data 220. A user may entercommands and information into computer 200 through input devices such askeyboard 238 and pointing device 240 (such as a “mouse”). Other inputdevices may include a audio/video input device(s) 253, a microphone,joystick, game pad, satellite dish, serial port, scanner, or the like(not shown). These and other input devices are connected to theprocessing unit(s) 202 through input interface(s) 242 that is coupled tobus 206, but may be connected by other interface and bus structures,such as a parallel port, game port, or a universal serial bus (USB).

A monitor 256 or other type of display device is also connected to bus206 via an interface, such as a video adapter or video/graphics card244. In addition to the monitor, personal computers typically includeother peripheral output devices (not shown), such as speakers andprinters, which may be connected through output peripheral interface246.

Computer 200 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer250. Remote computer 250 may include many or all of the elements andfeatures described herein relative to computer.

As shown in FIG. 2, computing system 200 is communicatively coupled toremote devices (e.g., remote computer 250) through a local area network(LAN) 251 and a general wide area network (WAN) 252. Such networkingenvironments are commonplace in offices, enterprise-wide computernetworks, intranets, and the Internet.

When used in a LAN networking environment, the computer 200 is connectedto LAN 251 through a suitable network interface or adapter 248. Whenused in a WAN networking environment, the computer 200 typicallyincludes a modem 254 or other means for establishing communications overthe WAN 252. The modem 254, which may be internal or external, may beconnected to the system bus 206 via the user input interface 242, orother appropriate mechanism.

In a networked environment, program modules depicted relative to thepersonal computer 200, or portions thereof, may be stored in a remotememory storage device. By way of example, and not limitation, FIG. 2illustrates remote application programs 216 as residing on a memorydevice of remote computer 250. It will be appreciated that the networkconnections shown and described are exemplary and other means ofestablishing a communications link between the computers may be used.

Overview

In the embodiments described below, data that is intended for use by avideo card can be encrypted such that anytime the data is provided ontoa bus (e.g. the PCI or AGP bus) between the video card and the computersystem, the data is encrypted. This is advantageous because snoopingdevices or rogue applications that acquire the bus cannot access thedata in its unencrypted form. Thus, when data is moved from the videomemory on the video card to the system's memory (e.g. when it is mappedto the system's physical memory) and vice versa, the data is inencrypted form and thus protected.

When the encrypted data is transferred from the system's memory to thevideo card for processing by the graphics processor unit (GPU), it canbe decrypted and placed into protected memory on the video card. Thus,the GPU can perform operations on the unencrypted data—which is what theGPU is best suited to do.

In the embodiments described below, two specific implementations aredescribed that are directed to protecting data by encrypting it wheneverit is to travel on a bus between the video card and the computer system.It is to be appreciated and understood that the specifically describedembodiments are but examples only and that variations can be made to thespecific implementations without departing from the spirit and scope ofthe claimed subject matter.

FIG. 3 is a flow diagram that describes steps in a method in accordancewith one embodiment. This method can be implemented in any suitablehardware, software, firmware or combination thereof. In this particularexample, the method describes exemplary processing steps that areperformed when data is moved from the video card to the system or systemmemory.

Step 300 provides unencrypted data on the video card. This data is thedata that is typically processed by the video card's GPU and is providedin the video card's memory. Step 302 encrypts the unencrypted data onthe video card. This step can be implemented in response to a request totransfer the data to the system's memory. For example, the CPU may sendan instruction to move the data from the video card to the system'smemory. Alternately, the GPU may determine that it does not need thedata any longer and therefore initiates a transfer to the system'smemory. The data can be encrypted on the video card using any suitableencryption techniques. Step 304 then sends the encrypted data over a busbetween the video card and the system. Exemplary buses can be the PCIbus and the AGP bus. Step 306 provides the encrypted data into systemmemory.

In the process described above, the data that moves from the video cardto the system's memory is encrypted and thus, any snooping devices orrogue applications that attempt to acquire the bus and steal or copy thedata will receive only encrypted data which, to the snooping devices orrogue applications, will be mathematically infeasible to decrypt.

FIG. 4 is a flow diagram that describes steps in a method in accordancewith one embodiment. This method can be implemented in any suitablehardware, software, firmware or combination thereof. In this particularexample, the method describes exemplary processing steps that areperformed when data is moved from the system or system memory to thevideo card.

Step 400 provides data in the system memory. Such data is typically datathat is utilized by the video card for processing. The data can beprovided in the system memory as either encrypted or unencrypted data.Step 402 can encrypt the data (if it is unencrypted in the systemmemory) and can send the data to a bus between the system memory and thevideo card. This step can be implemented in response to a desire toprocess the data on the video card. Step 404 receives the encrypted dataon the video card. Step 406 then decrypts the encrypted data on thevideo card and step 408 provides the decrypted data into video memoryfor processing by the GPU.

In the process described above, the data that moves from the system'smemory to the video card is encrypted and thus, any snooping devices orrogue applications that attempt to acquire the bus and steal or copy thedata will receive only encrypted data which, to the snooping devices orrogue applications, will be mathematically infeasible to decrypt.

Examplary Fisrt Video Card Embodiment

FIG. 5 shows an exemplary video (or graphics) card 500 in accordancewith one embodiment. Card 500 includes a bus connector 502 that snapsinto a port on a typical computer. Video card 500 also includes amonitor connector 504 (e.g. a 15-pin plug) that receives a cable thatconnects to a monitor. Video card 500 can, but need not, include adigital video-out (e.g. DVI) socket 506 that can be used for sendingvideo images to digital displays and the like.

Like the video card of FIG. 1, video card 500 comprises a graphicsprocessor unit (GPU) 508, video memory 510, random access memorydigital-to-analogue converter (RAMDAC) 512, and driver software whichcan be included in the Video BIOS 514.

GPU 508 is a dedicated graphics processing chip that controls allaspects of resolution, color depth, and all elements associated withrendering images on the monitor screen. The memory controller (sometimesintegrated into the GPU) manages the memory on the video card. Thecomputer's central processing unit or CPU (not shown) sends a set ofdrawing instructions and data, which are interpreted by the graphicscard's proprietary driver and executed by the card's GPU 508. GPU 508performs such operations as bitmap transfers and painting, windowresizing and repositioning, line drawing, font scaling and polygondrawing. The GPU can then write the frame data to the frame buffer (oron-board video memory 510).

The information in the video memory frame buffer is an image of whatappears on the screen, stored as a digital bitmap. RAMDAC 512 isutilized to convert the digital bitmap into a form that can be used forrendering on the monitor, as described above.

In addition to these components, in this embodiment, video card 500comprises a memory controller 516 and a key manager 518. The video cardcan also include a decryptor 520. These components can be implemented inany suitable hardware, software, firmware or combination thereof.

Memory controller 516 receives encrypted data on the video card anddecrypts the data into protected regions or portions of video memory510. The decrypted data is now in a state in which it can be operatedupon by the GPU 508. The memory controller can also be responsible forensuring that data transfers on the video card are made betweenprotected regions or regions that have a compatible degree ofprotection. That is, often times during processing of the data on thevideo card, the GPU 508 will operate on the data in the video memory(for example, by performing a blending operation) and will cause theresultant data to be written to a different video memory location. Inthis instance, there may be regions of video memory that are notprotected or are protected at a different level. In this case, thememory controller can ensure that data transfers within the video cardtake place in a manner that ensures the protection of the unencrypteddata. Examples of how this can be done are described below in moredetail.

Key manager 518 controls encryption and decryption keys that are used toencrypt and decrypt data on the video card. In one implementation, keymanager 518 comprises a separate chip. Key manager 518 iscommunicatively linked with the memory controller and can program thememory controller with the various encryption/decryption keys.Advantageously, communication between the key manager 518 and memorycontroller 516 takes place through an encrypted, authenticatedcommunication channel thus ensuring that the key manager is the onlyentity that can program the memory controller.

The video card 500 can also include a decryptor 520 that is configuredor configurable to decrypt data. For example, in some instances datathat is unencrypted on the video card can be written to a memory regionthat is not protected. For example, such data may be written to aso-called “primary surface” or desk top surface that contains data thatis used by the RAMDAC 512 for rendering an image on the monitor. In thiscase, it can be desirable to protect the unencrypted data so that it isnot subject to attack. Accordingly, when the data is moved from aprotected memory region to an unprotected memory region, the memorycontroller 516 can encrypt the data. In this example, the key manager518 keeps track of and knows which keys are associated with theencrypted data in the unprotected memory region. When the encrypted datais to be provided to the RAMDAC 512, the key manager can then instructthe decryptor 520 on which key or keys to use to decrypt the encrypteddata. The encrypted data is then provided to the decryptor 520,decrypted and then provided to the RAMDAC 512 for further processing.

Alternately, the decryptor can be eliminated and the RAMDAC 512 can beconfigured to perform the decryption functionality. In this case, thekey manager 518 can instruct the RAMDAC on which keys to use toeffectuate the decryption.

FIG. 6 shows, in accordance with one embodiment, selected components ofvideo card 500 (FIG. 5) in more detail generally at 600. There, memorycontroller 516 comprises a decryption module 602 that is configured toreceive encrypted data from the bus (either the PCI or AGP in thisexample) and decrypt the data into video memory 510. In addition, amemory protection table 604 and an equivalent decision table 606 areprovided.

In this example, memory protection table 604 includes a table portion604 a that contains entries that associate encryption/decryption keypairs with individual portions of the video memory 510. For example,encryption/decryption key pair E₁/D₁ are associated with memory portion608, encryption/decryption key pair E₂/D₂ are associated with memoryportion 610 and so on. When decrypted data in the video memory is to bewritten to system memory off of the video card, or any other time whenthe data on the video card is to be provided over the bus (e.g. the PCIor AGP bus), the CPU can cause the data to be encrypted with one of theencryption keys in table portion 604 a. The encrypted data can then beplaced onto the bus and provided, for example, into the system memory.When the memory controller 516 receives encrypted data from the systemmemory that has been encrypted, for example, with key E₁, decryptionmodule 602 can locate the associated decryption key D₁ and decrypt thedata into memory portion 608.

There can be a number of protected portions of video memory 510. In thepresent example, there are four protected portions designated 608-614.Unencrypted data in these protected portions can be processed by the GPU508 (FIG. 5) in the usual manner. The protected portions of the videomemory can be protected by an access control list. For example, memoryprotection table 604 includes a table portion 604 b that can define anaccess control list for the various portions of video memory. Eachportion of the video memory can have defined, in its associated accesscontrol list, which entities can access the memory portion. Thus, anyattempted accesses by entities other than those contained in each memoryportion's access control list will not be permitted by the memorycontroller.

Notice also that video memory 510 can include portions that are notprotected. In this example, portions 616-624 are not protected.Accordingly, there are no encryption/decryption key pairs associatedwith these memory portions.

FIG. 7 is a flow diagram that describes steps in a method in accordancewith one embodiment. The method can be implemented in any suitablehardware, software, firmware or combination thereof. In the illustratedexample the method can be implemented, at least in part, with a systemsuch as the one described in connection with FIG. 6.

Step 700 provides one or more keys pairs. Each key pair comprises anencryption key and an associated decryption key. Step 702 associates thekey pair(s) with individual portions of video memory. Any suitable waycan be utilized to associate the key pairs with the video memoryportions. In the example of FIG. 6, a memory protection table isemployed having multiple different entries. Individual table entriescorrespond to a particular key pair, and each table entry is associatedwith a portion of the video memory.

Step 704 encrypts unencrypted data using an encryption key of a keypair. For example, if unencrypted data in the video memory is to bewritten to the system memory, the CPU can cause the data to be encryptedwith an encryption key that is associated with the video memory portionin which the data resides. Step 706 then sends the encrypted data overthe bus to, for example, system memory.

Step 708, which follows from step 702, decrypts encrypted data using adecryption key of a key pair. For example, assume that data is encryptedwith an encryption key and then provided into the system's memory. Ifthe encrypted data is needed by the GPU, the data can be sent, by theCPU, to the video card. Upon receiving the encrypted data, the memorycontroller can locate a decryption key that is associated with theencryption key that was used for encrypting the data, and decrypt thedata using the decryption key. Step 710 can then provide the data intoan associated video memory portion that is associated with thedecryption key. In this manner, data can be protected whenever it is tobe provided over one or more of the system busses.

Equivalent decision table 606 (FIG. 6) is provided and is used by thememory controller 516 to ensure that data transfers within the videocard's memory 510 are done in a manner that preserves the data'sprotection.

As an example, consider FIG. 8. Often times when the GPU processes dataon the video card, it moves the data from one memory location toanother. For example, when the GPU performs a blending operation, it maytake data from two different memory portions on the video card, blendthe data and then write the resultant blended data to an all togetherdifferent portion of the video memory. This is diagrammaticallyindicated by GPU Operation 800. Assume here that the GPU is performingan operation that has two inputs and one output. Each of the inputscorresponds to data that is stored in a protected portion of the videomemory. In this example, one of the inputs is stored in a protectedportion of video memory that is associated with encryption key E₁, andthe other of the inputs is stored in a protected portion of video memorythat is associated with encryption key E₂ (hence the E₁ and E₂ inputs).Once the operation is performed, the resultant output data is to bestored in a protected portion of the video memory associated withencryption key E₄. Now, wherever the GPU performs a memory transfer suchas this, the memory controller 516 makes sure that it knows where thedata came from and where the data is going to be stored. The memorycontroller then checks to ensure that the portions of video memory thatthe output data is to be stored in is consistent, in terms of the levelof protection that the data is provided, with the protections affordedby the memory portions from which the constituent data came.

In this example, protection consistency can be enforced by ascertainingthat the keys associated with the memory portions that contained theinput data are the same as or equivalent to the key associated with thememory portion that is to hold the output data. Equivalence, in thisexample, can be determined based on the restrictions associated with thememory portions—that is—is there the same level of protection as betweenthe different memory portions? Keys might not be equivalent if, forexample, there are two different programs with two different pieces ofcontent. For example, say that each content is encrypted with adifferent key and that the programs associated with the keys cannotshare content. In this example, the encryption keys are not equivalent.

One way to ascertain the equivalence of keys associated with the variousmemory portions is to use an equivalent decision table such as table606. There, the table defines a matrix that contains entries for each ofthe keys. An “X” in one of the matrix cells indicates that the keys areequivalent. For example, looking first at key E₁, this key is equivalentto keys E₁, E₂ and E₄. Thus, as shown best in FIG. 6, data can be freelytransferred between memory portions 608, 610, and 614. Key E₁ is not,however, equivalent to key E₃. Thus, data cannot be transferred frommemory portion 608 into memory portion 612. In the FIG. 8 example, sincethe input data comes from memory portions 608 and 610 and the resultantdata is to be stored in memory portion 614, equivalency is not an issueand the operation can take place.

FIG. 9 is a flow diagram that describes steps in a method in accordancewith one embodiment. The method can be implemented in any suitablehardware, software, firmware or combination thereof. In the illustratedexample the method can be implemented, at least in part, with a systemsuch as the one described in connection with FIG. 6.

Step 900 reads data from video memory portions on a video card. Thisstep can be implemented by the GPU. Step 902 records key pairsassociated with the video memory portions from which the data was read.This step can be implemented by the memory controller. Step 904ascertains whether the recorded key pairs are equivalent to a key pairassociated with a video memory portion that is to serve as a destinationfor the output data that results from the operation of the GPU. If thekey pairs are equivalent, then step 906 provides the output data intothe video memory destination portion. If, on the other hand, the keypairs are not equivalent, then step 908 finds a video memory destinationportion that has an equivalent key pair or possibly step 910 outputsblank data to the specified memory destination.

Exemplary Second Video Card Embodiment

FIG. 10 shows an exemplary video (or graphics) card 1000 in accordancewith another embodiment. Here, a portion of the figure is designated“Video Card” and a portion of the figure is designated “System”. Suchnotation is intended to designate those components that reside,respectively, on the video card and the system. The “System” side of thefigure includes a CPU 1002 and system memory 1004. Notice also thatwithin the system memory 1004 is data 1006 that is intended for use onthe video card 1000.

In this embodiment, data 1006 that resides in the system memory 1004 isunencrypted. CPU 1002 is configured to encrypt the data whenever it isto be sent over the bus to the video card. Such is typicallyaccomplished by a CPU operation known as an “encrypt memory transfer”.Thus, the encrypted data is now placed into an unprotected portion 624of video memory 510. In this example, the data might be encrypted by theCPU with encryption key E₁.

Recall that the GPU 508 is configured to process unencrypted data.Accordingly, when the GPU 508 desires to process encrypted data in theunprotected portion of the video memory 510, the data should bedecrypted. In this embodiment, GPU 508 contains decryption functionalitywhich is represented in the figure by decryption module 602. Key manager518 is communicatively linked with the GPU 508 and can program the GPUwith the appropriate decryption keys. Of course, communication betweenthe key manager and the GPU can take place via an authenticated link.

Accordingly, when the GPU wishes to operate upon encrypted data 1006 inthe video memory, it can access the encrypted data and decrypt it into aprotected portion of the video memory—here protected portion 614. Thedecryption can take place via an operation known as a “decrypt memorytransfer”. Now that this and other data is in protected portions of thevideo memory, the GPU can freely operate upon it in the usual manner.

In this embodiment, memory controller 516 can enforce memory protectionby controlling access to the protected portions of the video memory viaan access control list (not specifically shown). Thus, any time anentity such as the GPU 508 (or portions thereof) wishes to access theprotected video memory portions, it will gain access via the memorycontroller 516. The access control list can describe what kind ofprotection the data has and which entities can access it. For example,the access control list can define which portions of the GPU can accessthe protected memory and one or more applications that “own” theprotected memory and thus have access.

Now, when the data in the protected portions of the video memory is tobe moved to an unprotected portion of the video memory, it can beencrypted. For example, assume that the data in memory portion 614 is tobe moved to unprotected memory portion 620 (which, in this example,corresponds to the desk top surface that is to be processed by theRAMDAC for rendering). The GPU 508 can access the protected memoryportion via the memory controller 516 and perform an encryption memorytransfer operation to encrypt the data into the memory portion 620. Whenthe encrypted data is to be provided to the RAMDAC for processing, thekey manager 518 can communicate with decryptor 520 and provide thedecryptor with the appropriate decryption key for decrypting theencrypted data in the memory portion 620. After decrypting the data, thedecryptor 520 can provide the data to the RAMDAC for processing in theusual manner.

Notice also that memory controller 516 also comprises an equivalentdecision table (not specifically designated). This table is similar, inconcept, to the table discussed in connection with FIGS. 6 and 8. Here,however, the table is used to ensure that the access control lists thatare associated with each of the memory portions of the video memory 510are equivalent when data is to be transferred therebetween. For example,assume that data in memory portion 614 is to be transferred to memoryportion 620. Accordingly, in this example, the memory controller 516checks to ensure that the access control list associated with memoryportion 614 is equivalent to the access control list associated withmemory portion 620. If so, the data transfer is performed.

CONCLUSION

The various embodiments described above can ensure that data that isintended for use by a video card can be encrypted such that anytime thedata is provided onto a bus (e.g. the PCI or AGP bus) between the videocard and the computer system, the data is encrypted. Thus, snoopingdevices or rogue applications that acquire the bus cannot access thedata and thus steal the data in its unencrypted form. Accordingly,another level of protected can be provided for content that is to beprocessed by the system's video card.

Although the invention has been described in language specific tostructural features and/or methodological steps, it is to be understoodthat the invention defined in the appended claims is not necessarilylimited to the specific features or steps described. Rather, thespecific features and steps are disclosed as preferred forms ofimplementing the claimed invention.

1. A method comprising: providing a video card memory on a video card,wherein the video card contains a graphics processor unit (GPU) andwherein the video card memory includes protected and unprotectedportions; providing one or more key pairs, individual key pairscomprising an encryption key that can be used to encrypt data and adecryption key that can be used to decrypt data encrypted with theencryption key; providing a table on the video card, the table havingindividual entries that associate individual key pairs with individualprotected portions of the memory; providing unencrypted data into aprotected portion of the video card memory; encrypting the unencrypteddata on the video card; and transferring the encrypted data off of thevideo card.
 2. The method of claim 1, wherein the protected portion ofthe video card memory is protected with an access control list.
 3. Themethod of claim 1, wherein the act of encrypting is performed any timethe unencrypted data is to be provided into system memory off of thevideo card.
 4. The method of claim 1, wherein the act of encrypting isperformed any time the unencrypted data is to be provided onto a busconnected between the video card and a computer system's centralprocessor unit, the video card comprising part of the computer system.5. One or more computer-readable media having computer-readableinstructions thereon which, when executed by one or more processors,cause the one or more processors to: provide unencrypted data into aprotected portion of a video card memory on a video card, wherein thevideo card contains a graphics processor unit (GPU) and wherein thevideo card memory includes protected and unprotected portions; provideone or more key pairs, individual key pairs comprising an encryption keythat can be used to encrypt data and a decryption key that can be usedto decrypt data encrypted with the encryption key; provide a table onthe video card, the table having individual entries that associateindividual key pairs with individual protected portions of the memory;encrypt the unencrypted data on the video card any time the unencrypteddata is to be provided onto a bus between a computer system's memory offof the video card; and transfer the encrypted data onto the bus.